Download PDF (141 KB)
PDF version — print or share with your team.
Accountants are asking whether Claude Cowork can touch client books without putting confidential financial data at risk. According to Statistics Canada, finance and insurance firms already use AI at 30.6%, and professional services lead at 31.7%, so staff at most practices are testing these tools. The duty to keep client information confidential stays with the firm.
Mike Pearlstein, CISSP, MSc AI, founder of Fusion Computing, which has secured IT for Canadian accounting and finance firms across Toronto, Hamilton, and Metro Vancouver since 2012.
Key takeaways
- An accounting firm can use Claude Cowork on a Team or Enterprise plan with access scoped to one client folder and a written policy.
- Cowork connects to QuickBooks, so reconciliation and month-end prep are a strong fit. Scope it to one client, not the whole drive.
- Cowork stores its work locally, so it sits outside your audit logs. For CPA file documentation and CRA audits, you build that record yourself.
- A CPA signs off on anything filed. Never put client tax data on a personal account.
Can accounting firms use Claude Cowork with client financial data?
Yes, an accounting firm can use Claude Cowork on a Team or Enterprise plan, with access scoped to one client’s working folder and a written usage policy. CPA confidentiality duties and PIPEDA bind the firm, not the software. On the business plans, your content is not used to train Anthropic’s models by default, which is why client books belong there and never on a personal account.
The point is that confidentiality is the firm’s obligation under the CPA Code of Professional Conduct, and no vendor setting removes it. What a practice controls is the scope: which files the agent opens, which plan governs the data, and who reviews the numbers before filing. On the business tiers, Anthropic’s privacy commitments keep that data out of model training.
It’s the same secure-adoption logic from the pillar guide on using Claude Cowork securely in your business, applied to a CPA practice, and it sits alongside our broader IT for accounting firms work. The law-firm version of this guide covers the parallel duties for law firms using Cowork.
What Claude Cowork actually does for an accounting firm
Claude Cowork completes multi-step financial work rather than answering a single question. Because Claude for Small Business connects natively to QuickBooks, the practical jobs are reconciliation, month-end close prep, first-draft financial statements, organizing tax documents, and cleaning up accounts payable and receivable. Each output is a draft for a CPA to verify, not a filing.
Here’s how those jobs map to the work, with the guardrail that keeps each one safe. Fusion Computing walks firms through this before any pilot, the same way we scope any AI services engagement.
Book a 30-minute call to scope Claude Cowork for your practice safely →
| Task | What Cowork does | The guardrail |
|---|---|---|
| QuickBooks reconciliation | Matches transactions and flags discrepancies | Scope to one client; the accountant reviews |
| Month-end close prep | Reconciles accounts and drafts a plain-English variance summary | One client folder, not the whole drive |
| First-draft financial statements | Assembles statements from the trial balance and working papers | A CPA reviews and signs; never auto-filed |
| Tax-document organization | Sorts and renames T-slips, receipts, and source documents | No SIN or tax data on a personal plan |
| AP and AR cleanup | Deduplicates and categorizes invoices and payments | Treated as a draft for review |
The confidentiality and client-data guardrails
The core guardrail is least privilege: scope Cowork to one client’s working folder, not the whole client drive or every company file. Classify what is allowed in (working documents for the active engagement) and what stays out (tax identifiers and client data beyond the scoped folder). Keep a CPA reviewing anything filed. Cowork runs in an isolated virtual machine, but prompts still reach Anthropic, so scope is the control that limits exposure.
The mistake we flag most often is scope. When a firm connects the agent to the entire client drive, a single task can read every client’s books. Scope it to the active engagement and most of the risk disappears.
Field note. In the firm pilots I’ve run, the first thing I change is access. I’ve seen a bookkeeper point an agent at a drive that held every client’s working papers. We scoped it to one engagement folder, and the workflow that felt reckless became routine. The work’s identical; the exposure isn’t.
The policy is the other half. A short rule set, the kind we cover in our guide on what belongs in an AI acceptable use policy, names the approved tool, the data that may go in, and who may run it. Fusion Computing pairs that with a cybersecurity review so the practice has a defensible position.
The oversight gap for CPA file documentation and CRA audits
Claude Cowork stores its conversation history locally on each user’s computer, and that activity is not captured by audit logs, the Compliance API, or data exports. For a CPA firm this matters: file documentation standards and CRA audit trails both assume the firm can reconstruct how a number was reached. Team and Enterprise owners can stream Cowork events to a SIEM through OpenTelemetry, which Anthropic notes does not replace audit logging for compliance.
According to Anthropic’s guidance on using Cowork on Team and Enterprise plans, the local history “is not subject to Anthropic’s standard data retention policies and cannot be centrally managed or exported by admins.” That doesn’t rule Cowork out. It means the firm designs its own record of AI-assisted work.
Fusion Computing wires the OpenTelemetry stream into the same monitoring we run for managed detection and response, so a practice sees tool calls and file access even though the transcript stays on the device. If a working paper could support a filing or a CRA query, the firm keeps that record on purpose.
Plan tier and a setup checklist for an accounting firm
The plan tier is the first decision: only Team and Enterprise carry the “not trained on by default” commitment plus the admin controls a firm needs. A safe rollout is then short: scope to one client folder, keep “ask before acting” on for client books, write a usage policy, turn on OpenTelemetry monitoring, have a CPA sign off on filings, and check the vendor terms against CPA and CRA duties.
Cowork runs on Pro, Max, Team, and Enterprise plans per Anthropic’s release notes, but only the two business tiers fit client work. Here’s the checklist Fusion Computing runs with a firm before the first client file goes near the tool.
Get a CISSP-led review of how AI tools reach your client books →
Why Canadian firms bring this work to Fusion Computing
CISSP-led, a Microsoft Solutions Partner and a CompTIA Managed Services Trustmark holder, securing IT for Canadian SMBs across Toronto, Hamilton, and Metro Vancouver since 2012.
- Choose Team or Enterprise. A bookkeeper running client books on a personal account is the first risk to fix.
- Scope to one client folder. Never the whole client drive or every company file. Widen only with a reason.
- Default to “ask before acting.” Cowork always asks before deleting files; keep approvals on for client data.
- Write an acceptable use policy. Name the approved tool, the data that may go in, and who may run it.
- Turn on OpenTelemetry monitoring. It’s the only visibility you have into what the agent did.
- Keep a CPA signing off. Nothing filed, from statements to returns, ships without review.
- Map the terms to your duties. Check Anthropic’s data handling against CPA confidentiality and CRA record-keeping before go-live.
None of it’s exotic, and most of it takes an afternoon. Fusion Computing sets it up as part of the managed IT work we already do for firms, and the same pattern carries to wealth management firms and healthcare clinics under their own regulators. If you want a second set of eyes before your firm pilots Cowork, talk to us or read more about how we work.
Claude Cowork is worth adopting for the reconciliation and document work that fills a practice. The firms that set the plan, the scope, and the policy first are the ones that’ll use it calmly through busy season while their competitors are still arguing about whether it’s allowed.
Fusion Computing helps Canadian businesses across Toronto and the GTA, Hamilton, and Metro Vancouver with managed IT, cybersecurity, and Microsoft 365.
Frequently Asked Questions
Is Claude Cowork safe for client books?
Claude Cowork can be safe for client books on a Team or Enterprise plan, with access scoped to one client folder and a CPA reviewing the output. The work runs locally and, on the business plans, is not used to train Anthropic’s models by default. Confidentiality stays the firm’s duty, so the controls around the tool are what make it safe.
Can Claude Cowork use my QuickBooks?
Yes. Claude for Small Business, which ships inside Cowork, connects natively to Intuit QuickBooks along with tools like PayPal and Microsoft 365. For a firm that means reconciliation and month-end prep can run against the live books. Scope the connection to one client and keep an accountant reviewing the result before it informs a filing.
Does Claude Cowork breach CPA confidentiality?
Using Claude Cowork does not breach CPA confidentiality by itself. The risk comes from careless setup. Confidentiality depends on controlling client information, so a firm should run Cowork on a business plan, scope it to one client folder, keep tax identifiers out of unscoped folders, and review anything before filing. The duty sits with the firm, not the tool.
What plan does an accounting firm need for Claude Cowork?
An accounting firm should use the Team or Enterprise plan, not a personal Pro or Max account. Only the business tiers carry Anthropic’s commitment not to train on your content by default, plus the owner and admin controls a firm needs. A bookkeeper running client books on a personal account is the first risk to remediate.
Is client tax data used to train the model?
On Team and Enterprise plans, your content is not used to train Anthropic’s models by default, so client tax data processed under a business plan stays out of training. Personal Pro and Max plans follow individual privacy settings, which differ from the business default. For a CPA firm, that difference is the reason to standardise on a business plan.
How is Claude Cowork different from Intuit Assist or accounting AI?
Intuit Assist and similar tools are built into specific accounting platforms. Claude Cowork is a general agent that works across your own files and apps on the desktop, and it can connect to QuickBooks through Claude for Small Business. For a firm, the practical differences are where the data lives, the admin and audit controls, and how broadly the agent can reach.
Does Claude Cowork work on Windows or only Mac?
Claude Cowork works on both macOS and Windows through the Claude desktop app, and it reached general availability on both on April 9, 2026. It is not available on the web or on mobile. Some capabilities, such as computer use, arrived first as research previews, so confirm the current feature list for your platform inside the app.
Who at the firm should run Claude Cowork?
Start with a small group who understand the engagement and the confidentiality duty, not the whole firm at once. Cowork is an organization-wide setting that owners can switch on or off, and granular per-user controls are limited, so a deliberate pilot with named users beats a broad rollout. Pair it with training and a written policy before wider use.
